problem converting pkcs12 file into a pem - x509certificate

I am trying to convert a client certificate from a pkcs12 type to a pem file using openssl, but this error is showed on my terminal. Does anyone have any idea why this is happening? I haven't edited or manually changed the p12 file. Even when I try to get some info from the .p12 file it shows error.
# openssl pkcs12 -in Desktop/cert.p12 -nokeys -out Desktop/cert-file.pem
139728018543680:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
139728018543680:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=PKCS12

Your cert looks like a PEM certificate which you are converting to PEM again.
Just edit the certificate by keeping only the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and then try. It should work.
Example:
-----BEGIN CERTIFICATE-----
MIIGJjCCBA6gAwIBAgIJAMDVkmXEzJzZMA0GCSqGSIb3DQEBCwUAMIGiMRUwEwYD
YTESMBAGA1UEBxMJQ3liZXJqYXlhMSkwJwYDVQQKEyBJbmxhbmQgUmV2ZW51ZSBC
b2FyZCBPZiBNYWxheXNpYTEqMCgGA1UECxMhSW50ZXJuYXNpb25hbCBUYXhhdGlv
biBEZXBhcnRtZW50MB4XDTE4MDEwODEwMDk0M1oXDTQ2MDEyMTEwMDk0M1owgaIx
FTATBgNVBAMTDGhhc2lsLmdvdi5teTELMAkGA1UEBhMCTVkxETAPBgNVBAgTCE1h
bGF5c2lhMRIwEAYDVQQHEwlDeWJlcmpheWExKTAnBgNVBAoTIElubGFuZCBSZXZl
AQDR1Ws2Wmao88RyDs6Mlc3IfEDTanGB6+93ppe94CcA/9nwgiOXMEuMaiu7oF2m
/FMsu2vVoPpXnuqvtANoJsc7jcAXottvEF8sthibTOR98N++QHo9wbUl2uhfJzxK
uEH3Pa0ekSAZN1I0EUdfOmn8lY0fui4QXr9s9TsavvHafx8/NrFaIiSNnKi3xKEg
choMAap/zNeDUXf3Pio99rAaCBjHVI1ZEC7m4ve6G6J8715Zs5jf9AWieWhpg9Nk
Si8Yqt/znKE4xdxNhIDkWIJHrsHoVpje5h01KatN5HIdW+dfxCcAHkD3ZiT5rV1u
LEN9aNckWTzv8sbjCfKzOXogtQOizNhqwun0CHsujUhNOrI2cYlyda/0Ad8nHbm2
UiLCQvNQv5l81pjaB6oBdmwHIHZsLYCRxveWEjX2aSIl9Xt/al8fR2MM2nPmNIlF
PjRfAGmL3kmABxqRmfj505AgQn9wagtL6O8zg32eoVwaZyJfis1K4lcuOpwOKFpz
hm/2tkV22NuwropW8VHsxYTAqIbLkCMy+fH3R1cWOv8fDXqXtCGG3t1d5bUtmg6I
CRlSYWGaJvP43dQc2QVReyq+lOs9y+EyK11rF1cRM6LEqOQ+fB0V5M8ftOcx0nQ1
J1iLGT10D3vyHVZh2Ab8iCkRq0kA2hihYI5Dc+ghuZGDWwIDAQABo10wWzAJBgNV
HRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUARc5dd5V+30sPQpNZ1aG
ystXahAwHwYDVR0jBBgwFoAUARc5dd5V+30sPQpNZ1aGystXahAwDQYJKoZIhvcN
AQELBQADggIBAGXow+tQOfsDj9M0aNmxZ2ivJrqZQXGEOYd2wi1t+um9uswug61J
QIreVUn4xPMRoXVRtVbtc2xlHCbpmVhh5noVW4Y/Ym/2gMYpti3Ruta2N1PfPs8k
G1yq4Bv5zIHAbU0j/EWYuYF9Oit4BEPfhLC33eFxtr49VBYPTacbrlOvXkd+Stxi
FDnOdrOYL6qs1mB9boxfyB1sLijs2j4Ht5wz38j/1lQqDUJ4mfdZ2d9CGqc798l8
s13mECG4h9oj+MHgakpTci1nLnWRq/j01Cw/hq94jWCPwhEyMonnsWuG+EKNPTQ7
+OkJDDuen3jDGD4mlsN/vW5ILvqMfKhBNv+GdLI6hJGps7Eb7cAZ5ihfnoWdf+38
64tZWK07q9TJzo5asQ+2OdtcuuPVuPdBEC8eDtI0JpgKwX0PUxjsciXYwYFGAb3z
xooszCvWH+MJ0zv3jWYbr1DtgWnTSumb8GlhPuF3t+vfOZ1enlYnrHiRaDCXRLOo
t9yO0hsa9Sotz3Rbfc2MQuT9PRSW+2w8cTOtJZkh7QvX9q8TlwSENKRp
-----END CERTIFICATE-----

Related

Verifying the password of generated x509 certificate

I have created a x509 certificate. There is a set of openssl commands I used to create it, for example the first command it:
openssl genrsa -passout pass:"$MYPWD" -out privkey.key 2048
where "$MYPWD" is an environment variable where I set the password. After executing this command, how would I check that the password is actually the value of MYPWD environment variable, and not just literally "$MYPWD"?
Thank you everyone in advance!
You must specify a cypher to encrypt the output.
openssl genrsa -aes256 -passout env:MYPWD -out privkey.key 2048
To verify that the password was actually set, simply read back the key:
openssl pkey -in privkey.key
You will see the password prompt.
You can also inspect the content of the privkey.key, "ENCRYPTED"... will be there.
cat privkey.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,3A2E02985A117F7266F9664420F685B2
...

"No DEK-Info header in block" when attempting to read encrypted private key

I'm trying to read an encrypted PKCS8 private key file. I generated the keys like this:
openssl genrsa -out file.pem -passout pass:file -aes256 1024
openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem
And I try reading it in Go this way:
block, _ := pem.Decode(key)
return x509.DecryptPEMBlock(block, password)
But I get an error saying:
x509: no DEK-Info header in block
However, I can't figure out what's going wrong. Am I generating the key wrong or am I using the wrong library? I see libraries specifically for reading unencrypted PKCS8 files but none for encrypted PKCS8 files specifically.
Does anyone have any idea?
Go don't have function to decrypt PKCS8 keys in standard library.
You can this package:
https://github.com/youmark/pkcs8/blob/master/pkcs8.go#L103
A longer explaination for anyone with the same problem.
What would work
Your first command
openssl genrsa -out file.pem -passout pass:file -aes256 1024
generates a PKCS#1 private key file (file.pem):
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,1DA219DB746F88C6DDA0D852A0FD3232
AEf09rGkgGEJ79GgO4dEVsArwv4IbbODlxy95uHhfkdGYmuk6OlTpiCUE0GT68wn
KFJfBcHr8Z3VqiHGsXxM5QlKhgnfptxfbrdKErgBD5LQcrvnqmf43KeD4lGQcpiy
...
...
mAKMCwiU/GKZz8ZwQ4qGkBlVVCOFfgwmfbqguJF2l8yzM8lYI9MZ9NEwKkvEbc
-----END RSA PRIVATE KEY-----
This private key file can be parsed and decrypted by x509.DecryptPEMBlock() alright.
What would not work and why
Your second command
openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem
converts that file into PKCS#8 format (filePKCS8.pem).
The subcommmand genpkey would directly produce a similar result:
openssl genpkey -algorithm RSA -aes256 \
-pkeyopt rsa_keygen_bits:1024 -out filePKCS8.pem
The generated filePKCS8.pem (either way) would look similar to this:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIISrTBXBgkqhkiG9w0BBQ0wSjKpBgkqhkiG9w0BBQwwHAQIKL+ordsVfqsCAggB
MAwGCCqGSIb3DQIJCQAwHQYJYIZIWAUDBAEqBBCipOAAxWkC0/zkNLNYTSMgBIIS
...
...
zfdxjZ0XmPiwED2azsLMnRrWnRj2UqMtnv9zO/ucik9za
-----END ENCRYPTED PRIVATE KEY-----
x509.DecryptPEMBlock() does not support this format. And as specified in #8860, the Go's core library has no real plan to support pkcs#8 in the near future.
As mentioned by Gregory, if you want to work with it, you'll have better luck with 3rd party library like github.com/youmark/pkcs8 (Documentation).

Unix encrypt file using public .asc key

I have a file I need to encrypt with a public key I got public.asc. This key was shared with me over encrypted email. I have a zip file that I need to encrypt using this public key and share over SFTP.
I tried using openssl:
openssl rsautl -encrypt -inkey public.asc -pubin -in file.zip -out file.zip.enc
but openssl displays the flag options and no error message. Also, I'm suspecting that .asc files should be encrypted with some other software.
Thanks

Creating RSA Private Key from PFX (PKCS #12) file

I'm trying to get a private RSA key from a pkcs #12 file.
I've tried running the standard
openssl pkcs12 -nocerts -out priv.pem -in domain.com.pfx
However this results in a key file like the one below:
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: xxxxxxxx
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-----BEGIN ENCRYPTED PRIVATE KEY-----
The server that I need to put it into canot handle the key file, and when I look at the examples data I see a file like below
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2CF27DD60B8BB3FF
And of cause the key is present in both files.
However it seems the server will only accept RSA Private key file, and it seems to me like the output I get is a X509v3 file, any one know how to get this to an RSA Private key file?
Well - using a text editor to remove the offending lines may be easiest. Otherwise below will clean up the bag attributes:
openssl pkcs12 -in x.pfx -nocerts -nodes -passin pass:123456 | openssl rsa -out privkey.pem
and can also be used to get der/net
openssl pkcs12 -in x-fred.p12 -nocerts -nodes -passin pass: | openssl rsa -outform DER -out privkey.der
which may be in fact the format you want. It is fairly common for tools to not accept a password less private key though (and a lot of tools will silently fail if the # of chars are not at least 4 or 6). So in those cases change the tailend to:
.... | openssl rsa -passout pass:123456 -out privkey.pem
.... | openssl rsa -passout pass:123456 -out privkey.der -outform der
On windows 7 64bit, you can simply use your command.But in mac and linux, you should do the following steps:
1, create your pem file:
openssl pkcs12 -in xxx.pfx -out xxx.pem
2, create your rsa private key :
openssl pkcs12 -in xxx.pfx -passin pass:yourpassword | openssl rsa -des3 -passout pass:yourpassowrd -out xxx.key
this step will create the key file with the conten:"
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2CF27DD60B8BB3FF"
3, open your .pem and .key file in a text editor, and replace the origin key"
-----BEGIN ENCRYPTED PRIVATE KEY-----" in the .pem file
with the rsa key in the .key file.
This works for me:
openssl pkcs12 -in "$1" \
-nocerts -nomacver \
-passin file:<(cat "$pw") \
-passout file:<(cat "$pw") |
sed -n '/^-----BEGIN ENCRYPTED PRIVATE KEY-----/,/^-----END ENCRYPTED PRIVATE KEY-----/p'

Create .pem file for Google Manage Domains

I used this code
# Generate the RSA keys and certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -sha1 -subj \
'/C=US/ST=CA/L=Mountain View/CN=www.example.com' -keyout \
myrsakey.pem -out /tmp/myrsacert.pem
From here:
http://code.google.com/apis/gdata/docs/auth/authsub.html#Registered
Google links to this from their own ManageDomains site. I have used the code, and uploaded the pem file to Google. When I test it, it gives me this error:
SyntaxError: Missing PEM Prefix
Can anyone point me in the right direction, I've wasted several hours on this.
Thanks!
You have to send myrsacert.pem to Google, not myrsakey.pem !
The file has to contain:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
source code:
start = s.find("-----BEGIN CERTIFICATE-----")
end = s.find("-----END CERTIFICATE-----")
if start == -1:
raise SyntaxError("Missing PEM prefix")

Resources